CVE-2026-35205

Summary

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

Affected Software

VendorProductVersion RangeStatus
helmhelm>= 4.0.0, < 4.1.4affected

Weaknesses

  • CWE-636: CWE-636: Not Failing Securely ('Failing Open')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary code execution due to insufficient plugin provenance verification

Additional References

References